Okta users warned as ShinyHunters expand vishing wave

Security researchers are warning Okta single sign-on customers that a highly interactive social engineering campaign linked to ShinyHunters is expanding in scope and targeting. The activity combines voice phishing with real-time phishing toolkits that capture credentials and multi-factor authentication tokens during live login sessions, and is now drawing wider concern from identity and SaaS security specialists.

Google's threat intelligence team recently detailed how the campaign has evolved and suggested that a separate threat group may be using similar methods. The report described broader targeting across major SaaS platforms and noted more aggressive extortion behaviour, including harassment of victim employees.

These developments follow a series of high-profile incidents in which threat actors impersonated IT or support staff and guided victims through spoofed login pages controlled by phishing toolkits. The tools relay credentials and MFA codes in real time to bypass standard authentication checks.

Identity focus

Specialists in identity security say the campaign highlights a shift in attacker focus from technical exploits to the interplay of users, processes and access systems.

"This campaign reinforces that identity is the convergence point of people, process, and technology, and where defenders can most accurately assess real risk. Attackers are no longer just exploiting credentials; they are manipulating human behavior, abusing legitimate workflows, and chaining access in ways that static controls cannot see. Without continuous identity observability, organizations have no reliable way to understand whether access aligns with expected behavior, policy, and intent across users, systems, and applications. Treating identity as a living system allows security teams to measure the likelihood of successful outcomes like data exfiltration, system locking, or DDoS as attackers pursue triple extortion strategies. This is why identity must sit at the center of Zero Trust architectures, not as an access gate, but as a continuously monitored control plane for cyber risk," said Paul Dant, Senior Solutions Consultant, Radiant Logic.

Security teams have increasingly adopted Zero Trust principles in response to identity-driven attacks. The current campaigns underline the challenge of validating that each access request aligns with expected behaviour in complex SaaS environments.

Expanded targeting

Google's analysis of the ShinyHunters-linked activity pointed to a wider array of targeted cloud services and collaboration platforms. It also flagged a potential copycat or parallel group that is using comparable phishing and vishing workflows.

AppOmni executives said the Google report marks a shift in the public detail available to defenders about the campaign's technical footprint.

"What's genuinely new here isn't the broad pattern (vishing, stolen creds/MFA, SaaS data theft), but the operational detail Google put on the record, especially the volume and specificity of indicators of compromise that weren't previously public," said Cory Michal, CSO, AppOmni.

"Publishing concrete domains, tooling names/artifacts, and workflow-level signals gives defenders something they can deploy immediately at scale (email/web filtering, OAuth/app controls, identity telemetry detections, and retro-hunting), and it helps the ecosystem disrupt infrastructure and tradecraft faster by enabling consistent blocking and takedown actions across many organizations rather than each team rediscovering the same indicators in isolation," said Michal.

Social engineering

The campaigns rely heavily on voice phishing and scripted interactions with victims. Attackers persuade users to approve login requests, reset MFA, or provide one-time codes while they operate phishing kits in parallel.

Michal said the pattern fits a longer-running trend in which attackers refine social engineering rather than rely on undisclosed software flaws.

"This is consistent with what AppOmni has been warning organizations about since mid-2024: These groups are succeeding less because of "new exploits" and more because social engineering and identity compromise still work. They keep iterating, and it pays off," said Michal.

Voice-led attacks have grown more sophisticated as adversaries script calls, spoof phone numbers and mirror legitimate support workflows. The phishing kits used in tandem often adapt in real time to the conversation, which increases the success rate of capturing valid session data.

Defensive steps

Security practitioners argue that organisations need tighter controls around high-risk identity actions and SaaS access, including more resilient authentication measures and closer scrutiny of support processes.

"Unless organizations actively disrupt the playbook by enforcing phishing-resistant MFA for high-risk actions, hardening help desk and MFA enrollment/reset processes, tightening OAuth/app consent controls, and continuously monitoring SaaS audit telemetry for the specific behaviors that follow credential capture, these campaigns will continue to convert, because the attackers are operating in the seam between identity controls and SaaS data access," said Michal.

The Google report included a substantial list of domains, infrastructure artefacts and behavioural signals associated with the campaign. Security teams can use those indicators in threat hunting and retrospective log analysis.

"Companies should treat this as both a hunt and prevent problem: First, take the IoCs in the report and run them through your detection-and-response workflows (SIEM/SOAR, email security, web proxy/DNS, EDR, and SaaS audit logs) to identify any historical or active exposure," said Michal.

Domain monitoring and early blocking of lookalike sites is another focus area identified by AppOmni.

"Second, add continuous monitoring for look-alike domain registrations that incorporate your company name or common brands you use for login, support, and HR. In many of these campaigns, those newly registered domains are a leading indicator, they show up before the first vishing call, so catching and blocking them early (and tightening your help desk/MFA enrollment controls in parallel) can meaningfully reduce the chance the intrusion ever gets to the "mass download and extortion" stage," said Michal.